QANTAS Cyber Incident

[dajop]

The 'news' has reported what happened when it happened. Why do they need to rehash the same thing every day?

That aside, timing could not have been better for Qantas. Something else was occupying airtime, printspace and web headlines at the time and being rehashed in depth every day for weeks (according to MediaWatch anyway, not from experience as I just turn off both physically and mentally whenever there's a "megastory" out there). Qantas cyberattack-had no chance of getting any meaningful "airtime".

 

[shuuy]

Over dinner tonight

I just heard my brother-in-law lost all his Qantas points, following the inability to access his account for a couple of days.

Unclear where points went.

Resolution underway but unclear after 3 days apparently

Step one is QF asking him for photo ID (which of course has some trust issues)

 

[muppet]

Over dinner tonight

I just heard my brother-in-law lost all his Qantas points, following the inability to access his account for a couple of days.

Unclear where points went.

Resolution underway but unclear after 3 days apparently

Step one is QF asking him for photo ID (which of course has some trust issues)

How many points are we talking?

Do you know the specifics of what data he had leaked?

 

[NM]

How many points are we talking?

Do you know the specifics of what data he had leaked?

And I wonder if his QFF account PIN was his birthday??

 

[henrus]

And I wonder if his QFF account PIN was his birthday??

I thought all elevated things like transfers and changing details required an SMS or email verification at the least.

I guess booking using them wouldn't but that'd be a bit more traceable?

 

[NM]

I thought all elevated things like transfers and changing details required an SMS or email verification at the least.

I guess booking using them wouldn't but that'd be a bit more traceable?

Though once logged into the account, it is likely possible to change the mobile phone number and/or email address details. QFF recently added the option for two-factor authentication, but it is optional and I bet there are are lot of members who have not yet activated it.

 

[drron]

Though once logged into the account, it is likely possible to change the mobile phone number and/or email address details. QFF recently added the option for two-factor authentication, but it is optional and I bet there are are lot of members who have not yet activated it.

No. If I want to log into my QFF account and they want 2FA the fist is a code to my old phone number which I don't have any more. So I tick the try another way and a code to my email or answer security questions.
But now logged in and I want to change my phone number the only way I can do it is by a code sent to my now non existent phone number.

 

[NM]

But now logged in and I want to change my phone number the only way I can do it is by a code sent to my now non existent phone number.

Got to love those wonderfully thought-through processes.

I suppose the next option is to call the service centre and convince the out-sourced off-shore call centre agent that you are the owner of the account, by providing lots of personal details like name, address, date-of-birth, QFF membership number, current points balance, status level, gender, meal preference ... you know the drill. Then have mobile phone number changes to a +63 phone number

 

[Dvg]

See the Qantas Customer Care reply received today:

Dear Telemachus,
We sincerely apologise for this incident, the concern it has caused and appreciate your understanding.
Last week, Qantas finalised emailing affected customers to advise them of the types of their personal data that was contained in the impacted system and provide advice and support.
If you have been directly impacted, you will have received an email to advise you of the types of personal data that was contained in the impacted system for you. Our customer records are based on unique email addresses, so if you have multiple email addresses registered with Qantas, you may receive a separate notification to each impacted email address. Customers who had multiple records held in the impacted system may have received more than one notification.
There is no evidence that any personal data stolen from Qantas has been released but, with the support of specialist cyber security experts, we continue to actively monitor.
Our analysis also confirms that no credit card details, personal financial information, or passport details were stored in the affected system. You Qantas Frequent Flyer account remains secure - passwords, PINs, and login details were not accessed or compromised.
Our dedicated support line remains available 24/7 on 1800 971 541 or +61 2 8028 0534, where our team can provide specialist identity protection advice and resources. For online assistance and resources, you can also visit Scamwatch, Cyber.gov.au and IDCARE's Learning Centre.
Whilst we empathise with your concerns, compensation is not available at this time. We recognise the uncertainty this incident may have caused and are deeply sorry.
Kind regards
Qantas Customer Care

Clearly just a generic message sent to anyone who had contacted Customer Care about the breach. It consists almost entirely of points already made in QF public statements and in the emails sent to QFF members. I think the last line saying ‘compensation is not available at this time’ is the only new information.

This QF message does not address the issues raised in the form I submitted. I didn’t request compensation! Having taken all QF-recommended steps for action by me (the customer), what I asked for was to be informed what else QF itself would now do to reduce the ID theft risk to me created by their failure to safeguard my PII.

Provision of credit monitoring, at least for those with the ‘full set’ of data fields compromised, is an obvious option that QF must have considered. Can’t say I’m surprised that they won’t be offering it – at least for the time being when specifically requested by lower forms of life such as this LTG member of QFF. So I will fund the credit monitoring myself or else extend the total ban on credit reporting I’ve put in place – when the initial 21 day validity period for the reporting ban expires.

At the risk of sounding like a Qantas basher (I’m not I just dislike their management) this just perfectly exemplifies the Qantas customer service attitude, apology, apology blah blah blah now go away!

 

[Welsh-Kiwi]

I’ve received both emails. I wonder if QF is going to provide affected customers with any compensation ie points?

 

[AIRwin]

I wonder if QF is going to provide affected customers with any compensation ie points?

See post #1256 above

 

[Junes]

Per the article I linked earlier, there's a suggestion that where greater info like @Askance's was taken, there was some targeting of that information by the threat actor. Seems to me that those people in particular should get a bit of extra advice/assistance as there's a suggestion that the attacker was specifically targeting their info.

In my case (minimal leak) I don't expect a thing but I'd be disappointed if QF didn't follow up for those who were targeted specifically to help them with advice or identity protection.

Thanks for the info. I scored almost the full bingo card and am Very concerned. Can switch email address (annoying), register a different address, and change phone (Very annoying) but that's about it. There was a Reddit suggestion that more recent QFF flights had more data leaked. Qantas needs to acknowledge that the more personal data breached the more the likelihood of identity theft. Without jeopardy significant compensation in the form of status and points would go some way to Qantas convincingly acknowledging responsibility.

 

[MEL_Traveller]

Thanks for the info. I scored almost the full bingo card and am Very concerned. Can switch email address (annoying), register a different address, and change phone (Very annoying) but that's about it. There was a Reddit suggestion that more recent QFF flights had more data leaked. Qantas needs to acknowledge that the more personal data breached the more the likelihood of identity theft. Without jeopardy significant compensation in the form of status and points would go some way to Qantas convincingly acknowledging responsibility.

I’m not sure people are suggesting identity theft out of this breach.

The more likely angle is that a number of elements could be used for scam emails or texts… for example your name, number of points and tier status with a ‘click here’ as ‘your points are about to expire’ or ‘we have detected unusual activity on your account’.

Those should hopefully be able to be managed.

 

[I love to travel]

Well I had nearly the full bingo card, including phone number. This morning was on the phone to a family member and a voice came on saying this call is being recorded. Hung up straight away. So maybe they are hacking into calls?????